Cover of: Die SWIFT-Affaire US-Terrorismusbekämpfung versus Datenschutz
Waldemar Hummer

Die SWIFT-Affaire US-Terrorismusbekämpfung versus Datenschutz

Section: Treatises
Volume 49 (2011) / Issue 3, pp. 203-245 (43)
Published 09.07.2018
DOI 10.1628/000389211797917466
  • article PDF
  • available
  • 10.1628/000389211797917466
Summary
As part of the Global War on Terror after the September 11th, 2001 attacks, the U.S. Treasury Department founded a program to track terrorist funding called Terrorist Finance Tracking Program (TFTP). Between 2001 and 2006, under the TFTP the Treasury Department served mere administrative subpoenas on the Society for Worldwide Interbank Financial Telecommunication (SWIFT), thus requiring SWIFT to transfer millions of financial data held on its U.S. server in Culpepper/Virginia not only to the Treasury Department itself but also to 16 secret services and other public authorities in the United States. SWIFT, a belgium provider of international financial payment messaging services, manage normally 12 million financial transactions per day. A series of articles published by The New York Times, The Wall Street Journal and The Los Angeles Times on June 23, 2006 revealed that the United States government, specifically the Treasury Department and the CIA, invaded the computer system of SWIFT's financial transaction services with complete secrecy. The European Data Protection Supervisor, Peter Hustinx, as well as the Article-29-Group established by the Data Protection Directive 95/46/EG and the European Parliament, issued a series of protests against that secret data mining in general and extraction of personal data in particular of US-authorities under the pretext of detection of terrorist financing. In order to calm the rising indignation within the EU as regards this gross violation of data protection, the United States offered in June 2007 some concessions in favour of SWIFT, for example the granting of a Safe-Harbor-Status and agreed to the appointment of an interim independent EU overseer of TFTP searches. After the removal of the Operating Center of SWIFT from Culpepper to Diessenhofen/Switzerland, the United States no longer had unlimited access to the pertinent data of that company and consequently felt itself forced to adhere to the relevant information on the basis of a contractual understanding with the EU. In November 2009, after some efforts of friendly persuasion, the United States and the EU signed the Interim Agreement on the processing and transfer of Financial Messaging Data from the EU to the United States for purposes of the TFTP (SWIFT-Agreement). Thus in February 2010 the European Parliament refused its necessary consent. After having experienced some material changes in its content, the European Parliament was able to agree in July 2010 to the conclusion of the new SWIFT-Agreement, which entered into action at the beginning of August 2010. Article 4 of the SWIFT-Agreement gives EUROPOL a specific role to check whether requests from the US Treasury Department for SWIFT data comply with the terms of the agreement. Due to the Report of the EUROPOL Joint Supervisory Body (JSB) of the implementation of the SWIFT-Agreement delivered in March 2011, no single request of data transfer for purposes of the TFTP has been denied by EUROPOL. The (secret) processing and transfer of Financial Messaging Data from the EU to the United States on the basis of the TFTP is certainly the most spectacular violation of data protection by the government of the United States but by no means the only one. There are some other pertinent fields of complaint, like the transfer of Passenger Name Record (PNR) data to the U.S. Department of Homeland Security and their storage up to fifteen years. Furthermore issues arise from the implementation of the Data Retention Directive and also in the protection of classified information in case of exchange etc. Under the impression of 9/11 the United States apparently abided to the trope that the end would justify (all) the means. However this article aims to show that secret processing and transfer of Financial Messaging Data without paying due process to data protection regulations is unjustified. Unfortunate the reaction of the EU was by no means adequate and reflected a sort of compliance